2.1.1 Server Security Settings

The DNS Server Management Protocol uses Security Support Provider Interface (SSPI) security provided by RPC, as specified in [MS-RPCE] section 3.3.1.5.2 for sessions using TCP as the transport protocol. The server SHOULD register the following as security providers:

  • RPC_C_AUTHN_GSS_NEGOTIATE

  • RPC_C_AUTHN_GSS_KERBEROS

  • RPC_C_AUTHN_WINNT

The DNS server MUST allow only authenticated access to RPC clients. The DNS server MUST NOT allow anonymous RPC clients. The DNS RPC server MUST perform a three-phase authorization test to ensure that the client is authorized to perform the specific RPC operation. The three-phase authorization test is specified in section 3.1.6.1. If the server is directory server integrated, the server MUST cache directory server security descriptors until the next LDAP read operation that reads them and perform LDAP read operations for security descriptors as specified in section 3.1.6.2.

The DNS server can support up to 1,234 concurrent RPC calls.

The DNS server MUST limit access to only clients that negotiate an authentication level higher than that of RPC_C_AUTHN_LEVEL_NONE (see [MS-RPCE] section 2.2.1.1.8).